Skip to content

Commit f8d31b3

Browse files
DeCohenDeCohen
committed
Acrolinx fixes
1 parent 45788dd commit f8d31b3

File tree

1 file changed

+6
-6
lines changed

1 file changed

+6
-6
lines changed

CloudAppSecurityDocs/migrate-to-supported-api-solutions.md

Lines changed: 6 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -5,11 +5,11 @@ ms.date: 05/19/2025
55
ms.topic: article
66
---
77

8-
# Migrate from Defender for Cloud Apps SIEM Agent to Supported APIs
8+
# Migrate from Defender for Cloud Apps SIEM agent to supported APIs
99

10-
Transitioning from the legacy [Defender for Cloud Apps SIEM agent ](siem.md) to supported APIs enables continued access to enriched activities and alerts data. While the APIs may not have exact one-to-one mappings to the legacy Common Event Format (CEF) schema, they provide comprehensive and enhanced data enriched by integration across multiple Microsoft Defender workloads.
10+
Transitioning from the legacy [Defender for Cloud Apps SIEM agent ](siem.md) to supported APIs enables continued access to enriched activities and alerts data. While the APIs might not have exact one-to-one mappings to the legacy Common Event Format (CEF) schema, they provide comprehensive, enhanced data through integration across multiple Microsoft Defender workloads.
1111

12-
## Recommended APIs for Migration
12+
## Recommended APIs for migration
1313

1414
> To ensure continuity and access to data currently available through Microsoft Defender for Cloud Apps SIEM agents, we recommend transitioning to the following supported APIs:
1515
>
@@ -30,16 +30,16 @@ The table below compares the legacy SIEM agent’s CEF fields to the nearest equ
3030
| `rt` | Activity or alert timestamp | `createdDateTime` | `createdDateTime` / `lastUpdateDateTime` / `resolvedDateTime` |
3131
| `msg` | Alert or activity description (human-readable) | Closest structured fields: `actorDisplayName`, `ObjectName`, `ActionType`, `ActivityType` | `description` |
3232
| `suser` | Activity or alert subject user | `AccountObjectId`, `AccountId`, `AccountDisplayName` | See `userEvidence` resource type |
33-
| `destinationServiceName` | Originating app (e.g., SharePoint, Box) | `CloudAppEvents > Application` | See `cloudApplicationEvidence` resource type |
34-
| `cs<X>Label`, `cs<X>` | Dynamic fields (e.g., target user, object) | `Entities`, `Evidence`, `additionalData`, `ActivityObjects` | Various `alertEvidence` resource types |
33+
| `destinationServiceName` | Originating app (for example, SharePoint, Box) | `CloudAppEvents > Application` | See `cloudApplicationEvidence` resource type |
34+
| `cs<X>Label`, `cs<X>` | Dynamic fields (for example, target user, object) | `Entities`, `Evidence`, `additionalData`, `ActivityObjects` | Various `alertEvidence` resource types |
3535
| `EVENT_CATEGORY_*` | High-level activity category | `ActivityType` / `ActionType` | `category` |
3636
| `<name>` | Matched policy name | `Title`, `alertPolicyId` | `Title`, `alertPolicyId` |
3737
| `<ACTION>` (Activities) | Specific activity type | `ActionType` | N/A |
3838
| `externalId` (Activities) | Event ID | `ReportId` | N/A |
3939
| `requestClientApplication` (activities)| User agent of client device | `UserAgent` | N/A |
4040
| `Dvc` (activities) | Client device IP | `IPAddress` | N/A |
4141
| `externalId` (Alert) | Alert ID | `AlertId` | `id` |
42-
| `<alert type>` | Alert type (e.g., ALERT_CABINET_EVENT_MATCH_AUDI) | - | - |
42+
| `<alert type>` | Alert type (for example, ALERT_CABINET_EVENT_MATCH_AUDI) | - | - |
4343
| `Src` / `c6a1` (alerts) | Source IP | `IPAddress` | `ipEvidence` resource type |
4444

4545

0 commit comments

Comments
 (0)